Webmail using Roundcube

This page deals with the installation of Roundcube as a web mail interface. Roundcube is the software that was also used in the previous versions of this guide. So if your users are used to it… just stay with it.

If my spare time allows it this guide will be extended by alternative mail clients like Horde, Rainloop and Nextcloud.

So now when your users enter https://webmail.example.org/ in their browser they will get the Roundcube webmail application. Voila. Webmail works.

Username == email address

Keep in mind that we are using the email address as the account name of the user. So when logging in please enter the email address as the user name. E.g. ‘john@example.org’ and password ‘summersun’.

Plugins

Roundcube comes with various plugins that you can offer your users. I suggest to use at least these two:

password: Let the user change their access password.

managesieve: Let the user manage rules that apply to incoming email. They can move mails to specific folders automatically for example.

Again edit the /etc/roundcube/config.inc.php file and look for the plugins configuration. To enable my recommended plugins change it to:

$config['plugins'] = array(
'managesieve',
'password',
);

password plugin

Plugins are configured through files located in the /etc/roundcube/plugins directory. Let’s begin with the password plugin. Edit the /etc/roundcube/plugins/password/config.inc.php file.

Oops, that file looks pretty empty. But it refers us to an example file at /usr/share/roundcube/plugins/password/config.inc.php.dist. There are many different methods to let users change their passwords. As we store that information in the SQL database that is the part we need to set up.

Remove the empty definition line of $config from your config.inc.php file. Let’s go through the required settings one by one:

$config['password_driver'] = 'sql';Simple. Use SQL as a backend.

$config['password_minimum_length'] = 12;Allow no passwords shorter than 12 characters. I consider longer passwords more secure than short passwords with weird characters. You can even choose a larger minimum.

$config['password_force_save'] = true;This will overwrite the password in the database even if it hasn’t changed. It helps us improve the strength of the password hash even if the user chooses to keep his old password.

$config['password_dovecotpw'] = '/usr/bin/doveadm pw -s BLF-CRYPT';The command to create a hash for a new password that the user entered.

$config['password_dovecotpw_method'] = 'BLF-CRYPT';Add a prefix to the password hash that explicitly designates it as a bcrypt hash. That makes it easy if in the future we want to use other hashing algorithms.

$config['password_db_dsn'] = 'mysql://mailadmin:gefk6lA2brMOeb8eR5WYaMEdKDQfnF@localhost/mailserver';Connection information for the local database. Use your own password for the mailadmin database user here. We cannot use the restricted mailserver user because we have to actually change data in the database.

$config['password_query'] = "UPDATE virtual_users SET password=%D WHERE email=%u";The SQL query that is run to write the new password hash into the database. %D is a placeholder for the new password hash. And %u is obviously the email address.

Try it. Log into Roundcube as ‘john@example.org’ with password ‘summersun’. Go to the Settings. Choose Password. Enter a new password twice. You should get a success message at the bottom right (yeah, it’s a bit hidden). Now logout and login with the new password. Does it work? Great.

sieve plugin

Sieve is used for server-side rules. Dovecot executes these rules every time a new email comes in. Of course every mailbox can have its own rules. To manage sieve rules Dovecot offers the managesieve interface that you enabled earlier. So we just need to tell Roundcube how to reach it.

The configuration file for Roundcube’s managesieve plugin is found at /etc/roundcube/plugins/managesieve/config.inc.php. Edit the file and again remove the empty or comment the $config line. You can again find all possible configuration options in the /usr/share/roundcube/plugins/managesieve/config.inc.php.dist file.

This time just one setting is required to tell Roundcube which server to talk to:

$config['managesieve_host'] = 'localhost';

Sieve rules are stored in a special syntax on the server. This is an example that moves all incoming emails to the test folder if it contains “test” in the mail’s subject line:

…just in case you are struggling with the same “Could not save new password. Encryption function missing.” error as I did:

Find the “disable_functions” statement in your php.ini file and check whether the “proc_open” function is listed there. In my case it was. As a result, the subprocess, which is supposed to calculate hash of the new password, could not be spawned properly. The “[…] proc_open() has been disabled for security reasons […]” message in /var/log/roundcube/errors pointed me in that direction.

After few minutes of debugging it turned out to be a problem with permissions for /etc/dovecot/conf.d/90-sieve.conf. Update password function is executed as www-data user which had no permissions to read above file.

Yes – at this moment I also stopped and looked for where I have something wrong entered 🙂
Great tutorial – many thanks!
I have several mail servers on Deban without mysql but now I am happy to read and set up a new server. Many thanks for your work.

Just for the record: I’ve tried it, and it works fine with just plain ‘localhost’ for both ‘default_host’ and ‘smtp_server’. Also cross-checked with the previous tutorials, and those suggest just simply ‘localhost’.

If any of the content on workaround.org has made your daily life less miserable you are invited to donate via Paypal to email@christoph-haas.de. I also have a wish list of Amazon things for my projects if you would like to surprise me. However please don't feel obliged.